#!/bin/sh
#
# syslog-scheduler.sh
# upgrade for syslog-scheduler.sh
# written by changfugang@feinno.com
# last modified in 2011-09-26
#

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin:/usr/local/logcheck/bin

# initialize state
SAVE_ATTACK=0

# change this!
mailDM='fetionyy.com.cn'
SYSADMIN="xtjc-critical@$mailDM xtjc-alarm@$mailDM"
#SYSADMIN="changfugang@$mailDM"

messageService='http://192.168.249.43/ServicePortal/AlertService.ashx'
mobiles='15901155677,13511062365,15210546635,13521021298,13810205559,13910117604,15901298988,13436686684'
#mobiles='15901155677'

LOGTAIL=/usr/local/logcheck/bin/logtail

# chmod 700
BASEDIR=/usr/local/logcheck/etc
TMPDIR=${BASEDIR}/tmp
LOGTAILDIR=${TMPDIR}/logtail
if [ ! -d $LOGTAILDIR ]; then
    mkdir -p $LOGTAILDIR
fi 
# change it for a test
#TMPDIR='/usr/local/logcheck/etc/tmp.test'

GREP=egrep
MAIL=mail
HACKING_FILE=/usr/local/logcheck/etc/logcheck.hacking
VIOLATIONS_FILE=/usr/local/logcheck/etc/logcheck.violations
VIOLATIONS_IGNORE_FILE=/usr/local/logcheck/etc/logcheck.violations.ignore
IGNORE_FILE=/usr/local/logcheck/etc/logcheck.ignore
LOG_FILE_DIR=/var/log/syslog-ng
# change it for a test
#LOG_FILE_DIR='/var/log/syslog-ng.test'
HOSTNAME=`hostname`
DATE=`date +%Y-%m-%d/%H:%M`
MyDATE=`date +%Y-%m-%d`

umask 077

cat /dev/null > $TMPDIR/check
cat /dev/null > $BASEDIR/migrate/badly_formatted_logs
rm -f $TMPDIR/logtail/*messages*

for line in `ls $LOG_FILE_DIR`
 do
  $LOGTAIL $LOG_FILE_DIR/$line/messages_${MyDATE} > ${TMPDIR}/logtail/${line}_messages_${MyDATE}
 done

# running analyse.pl
/usr/local/logcheck/etc/syslog-analyse.pl

# extend analyse the $TMPDIR/check file
/usr/local/logcheck/etc/syslog-migrate.pl

if [ ! -s $TMPDIR/check ]; then
        rm -f $TMPDIR/check
        exit 0
fi

#start report
echo > $TMPDIR/finalreport.$$
cat /dev/null > $TMPDIR/finalmessages.$$
echo "BEGIN REPORT" >> $TMPDIR/finalreport.$$
echo  >> $TMPDIR/finalreport.$$

cd $TMPDIR/hosts

for host in *
do
        if [ -s $host ]; then

        FOUND=0
        ATTACK=1
	ONLYMAIL=0

	# is onlymail?
	if [ `echo $host|awk /_onlymail/` ]; then
		ONLYMAIL=1
	else
		echo "Syslog Report on $host at $DATE" >> $TMPDIR/finalmessages.$$
	fi
	
        echo "------------------------------" >> $TMPDIR/finalreport.$$
        echo "Syslog Report on <b>$host</b>" >> $TMPDIR/finalreport.$$

        # Check for hacking
        if $GREP -i -f $HACKING_FILE $host > $TMPDIR/checkoutput.$$; then
                echo >> $TMPDIR/checkreport.$$
                echo "Active System Attack Alerts" >> $TMPDIR/checkreport.$$
                echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
                cat $TMPDIR/checkoutput.$$ |sort >> $TMPDIR/checkreport.$$
                FOUND=1
                ATTACK=1
        fi

        # Check for security violations
        if $GREP -i -f $VIOLATIONS_FILE $host |
           $GREP -v -f $VIOLATIONS_IGNORE_FILE | 
           $GREP -v -f $IGNORE_FILE > $TMPDIR/checkoutput.$$; then
                echo >> $TMPDIR/checkreport.$$
                echo "Security Violations" >> $TMPDIR/checkreport.$$
                echo "=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
                echo >> $TMPDIR/checkreport.$$
                cat $TMPDIR/checkoutput.$$ |sort >> $TMPDIR/checkreport.$$
                FOUND=1
        fi


        # create checkreport
        if [ -f "$IGNORE_FILE" ]; then
                if $GREP -v -f $IGNORE_FILE $host > $TMPDIR/checkoutput.$$; then
                        echo >> $TMPDIR/checkreport.$$
                        echo "Unusual System Events"  >> $TMPDIR/checkreport.$$
                        echo "=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
                        echo >> $TMPDIR/checkreport.$$
                        cat $TMPDIR/checkoutput.$$ |sort >> $TMPDIR/checkreport.$$
                        FOUND=1
                fi
        fi

	#report by result
        if [ "$ATTACK" -eq 1 ]; then
                cat $TMPDIR/checkreport.$$ >> $TMPDIR/finalreport.$$
		if [ "$ONLYMAIL" -eq 0 ]; then
	                awk '{gsub(/<[^>]*>/,"",$0);print}' $TMPDIR/checkreport.$$ >> $TMPDIR/finalmessages.$$
		else
			echo "no shortmessage"
		fi
        elif [ "$FOUND" -eq 1 ]; then
                cat $TMPDIR/checkreport.$$ >> $TMPDIR/finalreport.$$
                if [ "$ONLYMAIL" -eq 0 ]; then
                	awk '{gsub(/<[^>]*>/,"",$0);print}' $TMPDIR/checkreport.$$ >> $TMPDIR/finalmessages.$$
		else
			echo "no shortmessage"
		fi
        else
                echo "" >> $TMPDIR/finalreport.$$
                echo "Nothing of interest to report on $host " >> $TMPDIR/finalreport.$$
        fi

        echo "" >> $TMPDIR/finalreport.$$

        # Clean Up for the next loop
        rm -f $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$

        if [ "$ATTACK" -eq 1 ]; then
                SAVE_ATTACK=1
        fi

fi
done

echo "" >> $TMPDIR/finalreport.$$
echo "END OF REPORT" >> $TMPDIR/finalreport.$$
if [ -s $TMPDIR/finalmessages.$$ ]; then
	echo "__END__" >> $TMPDIR/finalmessages.$$
fi


# mail and send message
mailFrom="report@syslog.feinno.com"
if [ "$SAVE_ATTACK" -eq 1 ]; then
        echo "sending email..."
        SUBJECT="$HOSTNAME $DATE ACTIVE SYSTEM REPORT!"
	(echo -e "To: $SYSADMIN\nFrom: $mailFrom\nMIME-Version:1.0\nContent-type:text/html;charset=gb2312\nSubject: $SUBJECT\n\n<pre>";cat $TMPDIR/finalreport.$$;echo "<pre>")| /usr/sbin/sendmail -vt

    if [ -s $TMPDIR/finalmessages.$$ ]; then 
        echo "sending messages..."
	curl -d "cid=NAGIOS&mobiles=$mobiles&content=`cat $TMPDIR/finalmessages.$$`" $messageService
    fi

else
	echo "Is nothing."
fi

# Clean Up
rm -f $TMPDIR/hosts/* $TMPDIR/finalreport.$$ $TMPDIR/finalmessages.$$
